6a835765274d71e9f46fa67dc54a487c04ec7beeebfb1558568110e41ba01566

Analysis

max time kernel
150s
max time network
128s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
09-05-2024 01:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

41acbc0fce03ff3ae33755065931e920.exe
Size

2.6MB
MD5

41acbc0fce03ff3ae33755065931e920
SHA1

bbc79c9f3d2ca0b49a95b112e234fd4df5f2d02a
SHA256

6a835765274d71e9f46fa67dc54a487c04ec7beeebfb1558568110e41ba01566
SHA512

762ffeb4907b908b515bbebb37982e3deeea9bde426bc9322e0bde56a28d88f249c3d55c00f7cb5a1dc1fb64ea12175b689578174cbc24ca7f4e832d6f558a30
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBQB/bS:sxX7QnxrloE5dpUpPb

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe	41acbc0fce03ff3ae33755065931e920.exe

Executes dropped EXE 2 IoCs

pid	Process
3468	locdevdob.exe
3032	xdobloc.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDotTB\\xdobloc.exe"	41acbc0fce03ff3ae33755065931e920.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\Galax1I\\boddevloc.exe"	41acbc0fce03ff3ae33755065931e920.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4584	41acbc0fce03ff3ae33755065931e920.exe
4584	41acbc0fce03ff3ae33755065931e920.exe
4584	41acbc0fce03ff3ae33755065931e920.exe
4584	41acbc0fce03ff3ae33755065931e920.exe
3468	locdevdob.exe
3468	locdevdob.exe
3032	xdobloc.exe
3032	xdobloc.exe
3468	locdevdob.exe
3468	locdevdob.exe
3032	xdobloc.exe
3032	xdobloc.exe
3468	locdevdob.exe
3468	locdevdob.exe
3032	xdobloc.exe
3032	xdobloc.exe
3468	locdevdob.exe
3468	locdevdob.exe
3032	xdobloc.exe
3032	xdobloc.exe
3468	locdevdob.exe
3468	locdevdob.exe
3032	xdobloc.exe
3032	xdobloc.exe
3468	locdevdob.exe
3468	locdevdob.exe
3032	xdobloc.exe
3032	xdobloc.exe
3468	locdevdob.exe
3468	locdevdob.exe
3032	xdobloc.exe
3032	xdobloc.exe
3468	locdevdob.exe
3468	locdevdob.exe
3032	xdobloc.exe
3032	xdobloc.exe
3468	locdevdob.exe
3468	locdevdob.exe
3032	xdobloc.exe
3032	xdobloc.exe
3468	locdevdob.exe
3468	locdevdob.exe
3032	xdobloc.exe
3032	xdobloc.exe
3468	locdevdob.exe
3468	locdevdob.exe
3032	xdobloc.exe
3032	xdobloc.exe
3468	locdevdob.exe
3468	locdevdob.exe
3032	xdobloc.exe
3032	xdobloc.exe
3468	locdevdob.exe
3468	locdevdob.exe
3032	xdobloc.exe
3032	xdobloc.exe
3468	locdevdob.exe
3468	locdevdob.exe
3032	xdobloc.exe
3032	xdobloc.exe
3468	locdevdob.exe
3468	locdevdob.exe
3032	xdobloc.exe
3032	xdobloc.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4584 wrote to memory of 3468	4584	41acbc0fce03ff3ae33755065931e920.exe	82
PID 4584 wrote to memory of 3468	4584	41acbc0fce03ff3ae33755065931e920.exe	82
PID 4584 wrote to memory of 3468	4584	41acbc0fce03ff3ae33755065931e920.exe	82
PID 4584 wrote to memory of 3032	4584	41acbc0fce03ff3ae33755065931e920.exe	83
PID 4584 wrote to memory of 3032	4584	41acbc0fce03ff3ae33755065931e920.exe	83
PID 4584 wrote to memory of 3032	4584	41acbc0fce03ff3ae33755065931e920.exe	83

C:\Users\Admin\AppData\Local\Temp\41acbc0fce03ff3ae33755065931e920.exe
"C:\Users\Admin\AppData\Local\Temp\41acbc0fce03ff3ae33755065931e920.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4584
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:3468
- C:\UserDotTB\xdobloc.exe
  C:\UserDotTB\xdobloc.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:3032

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Galax1I\boddevloc.exe

Filesize
175KB

MD5
a1f3015285cc61b6f7c1fb4b9bd5d88a

SHA1
31bcab11ff28519c88300afbf66e526e1abf5115

SHA256
39e23e1cc01c2380e4b1b79587d9e43e412456c6329595980b35ebcf9074d0fd

SHA512
db2bc92ac55fb5b7b568b7f63f968b79770301689cab8fac5ca3dec3d5e1557cfe9efb07f7719caa26d65f7c1b980f0967bc473c606d9d022db8230fbf77feca

Download Submit
C:\Galax1I\boddevloc.exe

Filesize
2.1MB

MD5
a3ae088aa581db3142a15844dc17ce26

SHA1
5da2687c6575df3ed144f6713901ad0f3f3d197f

SHA256
18fb5390feb7cca1f9ce7a714bce68e7fed1620a04d87488aa7d6c98baeb026d

SHA512
3e6666ed1e6c501659345c7fdb871b8467f35d0f4158c9ce2c8fd771c4f1ee816a2f2d5dba1556d043af8d3dc8fd32360d1f2a5b7485e4c2ae08ef4eba2aff2e

Download Submit
C:\UserDotTB\xdobloc.exe

Filesize
595KB

MD5
83f0225c1b2c914ac844b42f57975cb0

SHA1
58926c14874447b5b3786a02a6051521a2f92d86

SHA256
6138f8e58e9011c895fec6d81f4c1be2b708f2c6799033bfdf15282bb14b9a41

SHA512
d6f03dc86bae15deb3e09b324600e1922ee93b3aaeb87f2e62522fd0ff583e4da36a322aff3aac511e892396b51a9ee1cc3b54a0ce6c9b797d1667bf6101a1d2

Download Submit
C:\UserDotTB\xdobloc.exe

Filesize
2.6MB

MD5
821430aaa4c7b86b5826e42d6a2757b0

SHA1
9d330e36f82e310af1e1b36673373c1a7b96c0ae

SHA256
18e3022e2483b8256df4d5341c83e3d8eec75b879257bc3669f40e120d96f56d

SHA512
bba2535f8ae58d599b57ec7a7cdbc73b243ba77938cf93410036de40e8b096273a26f3ebeb31625bad59bf2844a3cfc84e635ea4fd5bf0a93699c9408acc8f4a

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
207B

MD5
d5f33a69806748f64afb09022d546dc8

SHA1
6004f57a648593ece5ee594a96f7c66cad81e8c9

SHA256
5e8c209859bddc4320c41c76638c3a0f5e85a7b9b0132b009ef74cd7fd9acb08

SHA512
15c26562c6c4447b6e280d2bbdc034aef3310eb903b737b2bf68a7c950ec7a5971fb8ba0a8b40b3f11b22d184175359c5a908eeec35c8ee4cb2a1700cd81bc03

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
175B

MD5
94abc1f71cd2b80a889a439e7eec4f2d

SHA1
05ad3a912320996d3c0060b6bd61e46ad06ccd22

SHA256
5a4fc5a7d4eef0b58601edf43a2b9794e42a7c4c3880e404b5ddeaf49d8c7951

SHA512
3dac0e9d068f0a353d969897482dc0950089cf808c407ce51c6a1d961238ed1c79a2315836c587e62efdd495a1b1dd51983b6fa83b38c515ca54f7f776f3cf06

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe

Filesize
2.6MB

MD5
e18f6023a1af5690fe5e612b277388c3

SHA1
b9e09cfcd68e7b9e364fa9c5790133c4efa008fc

SHA256
332f99f8e443f24918457e9d5bace79812a1b973e91db4e799a9c4edf8a075a5

SHA512
3568435a3a31c9f05f8072e4ed5c6533c08459efab62f80a04ea265d7e150fd150b8e72844bac5977f9f70d2b84dfe8037f200989fa94754b84a7aec6abcc1c6

Download Submit